Dynamic Routing Inside IPsec VPNs

Dynamic Routing
Inside IPsec VPNs

New Threats and Defenses
Paul Knight, Nortel Networks

paknight@nortelnetworks.com
Agenda
• Setting the stage
– IPsec topology background
– Dynamic routing in IPsec
• Attack and Defense
– Attacks from the Internet
• Denial of service
• Remote access “Split tunnel”
– Internal “branch-to-branch” attacks
• Routing attacks
• Misconfigurations
– Requirements: Securing IPsec routing
Dynamic Routing Inside IPsec VPNs- 2

Black Hat Briefings – Paul Knight
IPsec topology background
• The IPsec VPN model

– What is an “IPsec Gateway’?
– What are Tunnel and Transport Modes?
– What’s a Security Association?
• IPsec VPN topologies
– Not host-to-host
– Remote access VPN
– Major focus: Multi-site, branch offices

IPSec VPN models:
Hosts and Security Gateways
Internet
Untrusted Network
Host-to-host (not VPN)

IPSec Gateway IPSec Gateway
Internet
Untrusted Network
Trusted Network Trusted Network

“Branch-to-branch” VPN model: between IPsec gateways
IPSec Gateway
Internet
Untrusted Network
Trusted Network
“Remote access” VPN model: host to gateway
Two IPSec Modes:
Transport and Tunnel Mode
Transport Mode
IP Header Data
Original IP IPSec ESP

Data
Header Header Tunnel Mode
Optional Encryption
New IP IPSec ESP Original IP

Data
Header Header Header
Optional Encryption
Outer IP Header
Inner IP Header
Application of the IPsec modes
Host Host
Internet
Untrusted Network
Can use Transport (or Tunnel) Mode between Hosts

Internet
Untrusted Network
Trusted Network Trusted Network
Can ONLY use Tunnel Mode between Gateways

(or extra IP encapsulation inside Transport Mode) –
MUST hide IP addresses of trusted networks Dynamic Routing Inside IPsec VPNs- 6
Application of the IPsec modes –
Remote Access
IPsec Gateway
Internet
Untrusted Network
Trusted Network
SHOULD use Tunnel Mode between host and gateway

-Hide IP addresses of trusted networks
-Allow remote host to truly join trusted network
-IPsec gateway assigns host a tunnel address, like DHCP
Alternative: Transport Mode to “Application Level Gateway”
-IPsec gateway actually becomes a “host”
-Remote host is limited to applications supported by “gateway”
-Similar to SSL gateway model; heavy burden on “gateway”

Security Association (SA)
• SA = All the information shared between two IPsec

systems to establish secure communication
– Selection of the security mechanisms:
• ESP or AH protection
• Ciphering algorithm
• Hash function
• Choice of authentication method
– Authentication of the two parties
– Choice of the ciphering and authentication keys

Security Databases
• A model to ensure a minimum of
interoperability
• RFC 2401 - “Security Architecture for IP”
• Two Security Databases maintained on the

IPSec system
– Security Policy Database (SPD)
– Security Association Database (SAD)

Security Association
Database
• All active Security Associations
• For each SA entry, includes :
– Identifier :
• Outer destination IP address
• Security Protocol
• SPI – Security Parameter Index
– Parameters
• Authentication algorithm and keys
• Encryption algorithm and keys
• Lifetime
• Security Protocol Mode (tunnel or
transport)
SAD • Anti-replay service
• Link with an associated policy in the SPD

Security Policy Database
• Applies to every packet
• For each policy entry, includes:
– Selectors
• Destination IP Address
• Source IP Address
• Name
• Transport Layer Protocol (protocol number)
• Source and Destination Ports
– The policy :
• Discard the packet, bypass or process IPSec
• For IPSec Processing :
- Security Protocol and Mode
- Enabled Services (anti-replay, authentication,
encryption)
- Algorithms (for authentication and/or
SPD encryption)
– Link to an active SA in the SAD (if it exists)

Inbound Packet Processing
IPSec System
IP IP
IPSec Header
Header
Destination
IP address
Security Protocol
SPI
SAD SPD
1. Identifies the SA 3. Performs the enabled 4. Identifies the policy

in the SAD upon IPSec services according to the
the selectors - Authentication selector
- Decryption
2. Read the SA 5. Check the policy
- Anti-replay service
parameters

Outbound Packet
Processing IPSec System
IP IP
IPSec Header
Header
Policy
Selectors
SAD SPD
4. Read the SA 1. Identifies the policy in the SPD

parameters specified according to the selectors
by the link
2. Read the policy parameters
5. Computes the
IPSec processing 3. Initiate new SA if necessary
Agenda
• Routing attacks

Why is dynamic routing in
IPsec VPNs important?
• Like ANY sizable network –
without dynamic routing, life is
HARD!
• It’s to hard to maintain static routes
• Hard to set up load balancing
• Hard to set up failover
• Hard to manage changes
• Hard to add new network sites

The IPsec “routing problem”
• Usual conversation:
– What’s the problem? You can already carry routing
protocols over IPsec.
– Yes, but you can’t actually use them to ROUTE.
– Huh?
– The IPsec Security Associations have selectors that
determine the traffic they allow. They are like static
routes.
– Oh… Yeah… I see the problem.

The IPsec “routing problem”
• Dynamic routing in VPNs is a requirement

• Tunnel mode is incompatible with dynamic routing
– draft-touch-ipsec-vpn-04.txt (IETF – http://www.ietf.org/internet-drafts/X)
– draft-wang-cevpn-routing-00.txt
– draft-knight-ppvpn-ipsec-dynroute-01.txt
• WHY? Security Associations are created with

selectors  Tunnels have built-in “static routes”
• SP and SA Database lookups do the “routing”
• SA setup is orders of magnitude slower than
routing change Dynamically changing SA due to
routing updates doesn’t scale

Reference topology
Site X
CPE
Untrusted
Site Y
Site A Network
CPE
CPE
Site Z
CPE
• Typical dynamic routing issues
– “Z” adds a new network
– New site added (Hub/spoke model)
– A link (IPsec connection) breaks; re-route through another site
SP, SA Databases determine “routing”
into tunnels – cannot adapt dynamically
IPsec Gateway (CPE) at Site A
Site X
Untrusted
Network
SA pairs – 1 per address range
Site Y
Outbound
traffic
Site Z
SPD
SAD
Route exchange possible, but useless… (SPD, SAD control “routing”)
The basic solution
• Remove the tunnel’s “static routes” …. HOW?
• (1) Use “wild card” in tunnel SAs (allow all traffic) OR
• (2) Use encapsulation to make the traffic fit the “static route”, by
setting destination address in the encapsulated traffic
– IP-in-IP over Transport (IIPtran)
– Generic Routing Encapsulation (GRE) in tunnel or
transport
• Both approaches are essentially similar in key ways, but (2) is more
secure
– IPsec can still apply source/destination selectors
– Less chance for errors due to different systems’
dynamic routing abilities
• Either way, you must do “routing” (SA selection or encapsulation
addressing) outside IPsec, and push traffic into a “VPN Tunnel”
(may be Transport Mode)

Routing outside IPsec:
Each SPD/SAD handles a smaller address selector range
One “VPN Tunnel” SA pair
between sites (unless QOS
IPsec Gateway at Site A or security requires more)
Site X
CPE
SPD Untrusted
SAD
Network
Routing
Site Y
CPE
Outbound SPD
SAD
traffic
Routing Site Z
Exchange
Via OSPF, SPD
CPE
RIP, etc. SAD

Tunnel mode =
Transport mode + IP encapsulation
• Key concept for dynamic routing
1) Determine “next IPsec hop” of the packet, using
policy, based on any criteria the “routing engine”
can handle –route to destination (using dynamic
information!), protocol, port (socket), even content
analysis (URL, etc.)
2) Construct new encapsulating IP header with
source/destination of next IPsec hop
3) Pass to IPsec process for TRANSPORT mode
processing
• Resulting packet is equivalent to tunnel mode, but
now it is routed using dynamic routing updates
Tunnel mode =
Transport mode + IP encapsulation
Remember transport mode?
Original IP IPSec ESP
Header
Data
Header
Optional Encryption
IP Header Data
IP-in-IP encapsulation New “Data”

Addresses in new
IP header determines New IP Original IP
Data
where packet goes Header Header
Transport Mode New “Data”
New IP IPSec ESP Original IP

Data
Packet looks like Header Header Header
Tunnel Mode! Optional Encryption

Routing with VPN tunnels
• What is a “VPN TUNNEL?”

– An IPsec SA with NO effective address filters
– May be IPsec tunnel mode or IP-in-IP over transport mode
– It allows ANY IP traffic (unicast/multicast) to pass
– It allows routing protocols to pass
– Its end points are the IPsec gateway interfaces
– It still protects all traffic with encryption
– It is like an Ethernet, ATM, or Frame Relay “link” over the
Internet, but secured by IPsec
• Since you can’t use the IPsec tunnel definitions or
“filters” to select destinations, you MUST route
before putting the traffic into an IPsec “VPN tunnel”
Routing with VPN Tunnels:
Requirements for IPsec Gateways
• Full-power router “inside” the IPsec gateway, with
traffic and route filters, even firewalls
• Ability to separate VPN routes from external
(untrusted network) and local routes
• Ability to use the endpoint of the IPsec “VPN
Tunnel” just like any IP-capable interface
– To pass routed traffic
– To send and receive routing protocols

Agenda
• Routing attacks

Remote Access IPsec VPN routing attack
IPsec Gateway
Internet
Untrusted Network
Remote Client Trusted Network

• Split tunneling
– Captive tunnel: Client’s “default route” points into tunnel to IPsec
gateway; other routes not allowed
– Split tunnel: Client’s default route is into Internet; specific routes to
trusted network are loaded into Client’s routing table by IPsec
Gateway
• Denial of Service Attacks
– Various attacks to waste Gateway’s resources (bandwidth, open
connections, processing time, etc.)
– Not the subject of this talk (but interesting!)

No Split Tunneling:
IPsec Gateway
Internet
Untrusted Network
Internet
Host Firewall
Split Tunneling:
IPsec Gateway
Internet
Untrusted Network
Internet
Host Firewall
Why allow split tunneling?
• Avoid wasting bandwidth at VPN hub site

– Internet traffic of clients would traverse the hub site
– (Can be avoided by policy blocking Internet access
during remote access, forcing client to logout of VPN)
• Short DHCP/PPPOE leases may require frequent
contact to server at client’s ISP
– Can’t contact server if all routes point to VPN tunnel
• Convenience of keeping VPN connection up
during other Internet access

Split Tunneling – Potential Attacks
• FTP relay through client

– Client running FTP server can become
conduit from Internet into trusted network
– Other similar services running on client – tftp,
smtp, or custom relay application, maybe
malicious application
• RAT – Remote Access Trojan on client
– Back Orifice, etc.
– PC Anywhere (not a “Trojan” but same issue)
– Allow remote control control of PC, and thus
potential access to trusted network

Split Tunneling – Defenses
• Prevent split tunneling

– Corporate policy decision
– Enforcement through Gateway/client software
capabilities
• Gateway sends only default route to client
• Client s/w reads routing table on client, reports to
gateway and/or blocks access if routes are found.
• Prevent active relay services or remote control
– Break connection if unexpected port is open on client
• Both defenses depend on client software ability
to determine true state of client machine.
– Depends on operating system and multitasking,
multiprocessing capabilities of client system.

Branch-to-Branch IPsec VPN
Routing Issues
Internet
Untrusted Network
Trusted Network Route? ? Defaul

t Route?
ult
Defa Trusted Network
Firewall Firewall
• Misconfiguration
• Default Route issues
• Internal Routing Attack

Security risks of incorrect routing
in IPsec VPNs
• Traffic may be forced over an unprotected
path
– May be intercepted
• Traffic goes toward wrong destination
– Doesn’t get to correct destination
• Traffic follows “wrong” path toward correct
destination

Attacks on routing
• Injection of routes inside a site

– Malicious
• Routing process running on compromised host or router
• Redirect traffic toward a compromised system internal to
trusted network
• Redirect via default route over unprotected path through
untrusted network
– Misconfiguration
• Advertising routes via unprotected path
• Static routes configured in routers
• Routed (routing daemon) running on unauthorized hosts

Protection against routing attacks
• Routing authentication
• Options for OSPF
– Keyed MD5 verifies identity
– Digital signature allows tracing of bad route
information
• Audit routers for bogus routes
• Restrict use of routing protocols on hosts
– Use default route instead
– Implement redundancy on routers (VRRP) or
switches in LAN, not in host routing

Default route attacks
• Where does default route point?
– To Internet?
– Lost “internal” route can result in traffic being sent over
Internet
– Particularly problematic if the destination is reachable via
Internet
• Key solution: policies on firewall
– No traffic to internal destinations goes out through firewall
– No traffic from internal source address can com in through
firewall
• Harder solution: no default route to Internet
– Specific management/advertisement of “allowable” routes

Securing IPsec Routing –
Dynamic Routing Requirements
IPsec Gateway at Site A
Site X
Firewall
functions
CPE
SPD Untrusted
SAD
Network
Routing
Site Y
CPE
Outbound SPD
SAD
traffic
Routing Site Z
Exchange
Via OSPF, SPD
CPE
RIP, etc. SAD

Securing IPsec Routing –
Dynamic Routing Requirements
• Strong Firewall capabilities

– Inbound/outbound
– Full range stateful inspection capabilities
• Full router functionality INSIDE the IPsec Gateway
– Route filtering to prevent attacks
– Ability to separate internal/external routes
– Ability to see IPsec peer gateways as next-hop for routes
learned via IPsec VPN tunnels
• Apply the routing rules by encapsulating the traffic,
with “next IPsec hop” as the destination

Conclusion:
Dynamic IPsec Routing opens new
vulnerabilities
• The manageability and flexibility of dynamic
routing are important for large networks, BUT:
• It is not enough to just add routing to an IPsec
VPN box
• Firewall traffic filtering PLUS full-featured routing
capabilities must be integrated into the system
• Remote access IPsec VPN security depends on
trusted client software
– To control insecure routing or relay capabilities of client
– Use intrusion detection monitoring for verification
Questions???
Thank You!


Dynamic Routing Inside IPsec VPNs

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Dynamic Routing Inside IPsec VPNs

Enviado por

Direitos autorais:

Formatos disponíveis

Dynamic Routing

Inside IPsec VPNs

Paul Knight, Nortel Networks

Dynamic Routing Inside IPsec VPNs- 2

• The IPsec VPN model

Dynamic Routing Inside IPsec VPNs- 3

Host-to-host (not VPN)

Trusted Network Trusted Network

Original IP IPSec ESP

New IP IPSec ESP Original IP

Can use Transport (or Tunnel) Mode between Hosts

IPSec Gateway IPSec Gateway

Trusted Network Trusted Network

Can ONLY use Tunnel Mode between Gateways

SHOULD use Tunnel Mode between host and gateway

Dynamic Routing Inside IPsec VPNs- 7

• SA = All the information shared between two IPsec

Dynamic Routing Inside IPsec VPNs- 8

• Two Security Databases maintained on the

– Security Policy Database (SPD)

– Security Association Database (SAD)

Dynamic Routing Inside IPsec VPNs- 9

Dynamic Routing Inside IPsec VPNs- 10

Dynamic Routing Inside IPsec VPNs- 11

1. Identifies the SA 3. Performs the enabled 4. Identifies the policy

Dynamic Routing Inside IPsec VPNs- 12

4. Read the SA 1. Identifies the policy in the SPD

Dynamic Routing Inside IPsec VPNs- 14

Dynamic Routing Inside IPsec VPNs- 15

Dynamic Routing Inside IPsec VPNs- 16

• Dynamic routing in VPNs is a requirement

• WHY? Security Associations are created with

Dynamic Routing Inside IPsec VPNs- 17

Dynamic Routing Inside IPsec VPNs- 20

Dynamic Routing Inside IPsec VPNs- 21

IP-in-IP encapsulation New “Data”

Transport Mode New “Data”

New IP IPSec ESP Original IP

Dynamic Routing Inside IPsec VPNs- 23

• What is a “VPN TUNNEL?”

Dynamic Routing Inside IPsec VPNs- 25

Dynamic Routing Inside IPsec VPNs- 26

Remote Client Trusted Network

Dynamic Routing Inside IPsec VPNs- 27

Remote Client Trusted Network

Remote Client Trusted Network

• Avoid wasting bandwidth at VPN hub site

Dynamic Routing Inside IPsec VPNs- 29

• FTP relay through client

Dynamic Routing Inside IPsec VPNs- 30

• Prevent split tunneling

Dynamic Routing Inside IPsec VPNs- 31

Trusted Network Route? ? Defaul

Dynamic Routing Inside IPsec VPNs- 32

Dynamic Routing Inside IPsec VPNs- 33

• Injection of routes inside a site

Dynamic Routing Inside IPsec VPNs- 34

Dynamic Routing Inside IPsec VPNs- 35

Dynamic Routing Inside IPsec VPNs- 36

Dynamic Routing Inside IPsec VPNs- 37

• Strong Firewall capabilities

Dynamic Routing Inside IPsec VPNs- 38

Dynamic Routing Inside IPsec VPNs- 40